3

I have a Cisco ASA 5505 (ver 8.2(2)) with two interfaces; inside (security level 100) and outside (security level 50). There is one subnet on inside, 10.1.1.0/24.

There is no NAT for traffic moving from inside to outside; that is handled by an upstream router.

I want to configure the firewall so that any system on the inside interface can initiate a connection to the outside world and receive the return traffic but the outside world cannot initiate connections to the inside systems. Letting the traffic out is easy: 

access-list inside_in extended permit IP 10.1.1.0 255.255.255.0 any

but what do I need to configure on the ASA to let the responses back in without opening the firewall to all traffic? normally this is handled by NAT, but in this case I do not want to use NAT.

DrStalker
  • 6,946
  • 24
  • 79
  • 107

3 Answers3

3

Last time I checked, you don't need to define a rule when crossing from a high security zone (100) to a lower security zone, it's permitted by default.

That being said, you'll want to look at the established documentation. Also doesn't hurt to take a quick look at the security-level docs either.

Jon Angliss
  • 1,782
  • 10
  • 8
  • Perfect: the following three lines have everything we need working: established tcp 0 0 established udp 0 0 access-list outside_in extended permit icmp any any echo-reply The allow-inside-out rule is there due to force of habit, as well as my dislike of trusting default settings that don't get displayed in configs. :-) – DrStalker Jun 22 '10 at 04:48
1

The ASA is stateful by default. If you allow the traffic out (either by security-level processing or by ACL) it will automatically allow the return traffic back through.

I would be inclined to believe you are actually running into a nat-control issue. Nat-control enforces the use of NAT, which is to say, if nat-control is enabled, any traffic traversing firewall interfaces MUST be NATed or it gets dropped. In 8.2 code, nat-control is enabled by default.

Since you mention you are not doing NAT on your Firewall, you will also have to disable nat-control by using the command no nat-control from global configuration. That, or configure NAT Exemptions to instruct your firewall to not NAT your traffic, while still satisfying nat-control.

To check if it is enabled: show run nat-control

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92
Eddie
  • 103
  • 1
  • 1
  • 4
0

I don't have ASA experience but with Cisco IOS the way you allow traffic back in is with the ip inspect command and this falls under Context Based Access Control (CBAC). This enables a stateful firewall feature on the IOS and creates temporary holes in the firewall (ACL) to allow for related traffic.

Maybe it is the same of ASA?

Kyle Brandt
  • 83,619
  • 74
  • 305
  • 448